CVE-2026-46817
We want to highlight the following vulnerabilities due to their severity and potential impact. CVE-2026-46840 affects the Backend-as-a-Service component of Oracle REST Data Services versions 24.2.0 through 26.1.0. The vulnerability is easily exploitable by an unauthenticated attacker with network access via HTTPS, requiring no user interaction. Oracle has indicated a scope change, meaning exploitation can extend impact beyond the directly vulnerable product to other dependent systems. Successful exploitation results in full takeover of Oracle REST Data Services. CVE-2026-46817 affects the File Transmission component of the Oracle Payments module within Oracle E-Business Suite versions 12.2.3 through 12.2.15. The vulnerability is easily exploitable by an unauthenticated attacker with network access via HTTP, requiring no user interaction. Successful exploitation results in full takeover of Oracle Payments.
EPSS 0.11% · 29.7th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oracle | Oracle Hospitality Applications | |
| Oracle | Oracle E-Business Suite | |
| Oracle | Oracle Database Server | |
| Oracle | Oracle REST Data Services | |
| Oracle | Oracle Communications |
Timeline
- May 28, 2026 CVE Published
- May 28, 2026 CVE Updated
- May 29, 2026 EPSS Score
- May 30, 2026 EPSS Score
- May 31, 2026 EPSS Score
- Jun 1, 2026 EPSS Score
- Jun 2, 2026 Security Advisory
- Jun 4, 2026 Coalition ESS Score
- Jun 5, 2026 EPSS Score
- Jul 15, 2026 CISA KEV Added